In recent developments, Adobe ColdFusion has alerted its users of a critical security vulnerability infesting the platform.
It was observed that in Adobe’s regularly-scheduled updates, numerous security patches and fixes were supplied by the software company for some critical flaws.
According to Adobe, if exploited, these flaws or vulnerabilities could implement some severe security hazards and concerns by way of arbitrary code execution in compromisable Windows systems or devices.
Reports have put forth that the latest ColdFusion vulnerability, addressed as CVE-2021-21087, currently prevails on the ColdFusion version 2016 versions 2016 (Update 16 and earlier), 2018 (Update 10 and earlier), and 2021 (Version 2021.0.0.323925).
These ColdFusion vulnerabilities have the potential to execute arbitrary code if exploited.
In its statements, Adobe has claimed that as of yet, no cases of the ColdFusion vulnerabilities being exploited in the wild have been reported in light of the flaws addressed in the latest updates.
Experts analyzing these ColdFusion security flaws have seemingly observed that these vulnerabilities are a consequence of improper input validation.
This manner of problem occurs when an impacted product doesn’t validate the input thus affecting the data or control flow of a code. Malicious actors can subsequently initiate a slew of malicious attacks by exploiting these vulnerabilities.
Patches deployed for Adobe ColdFusion versions:
The Adobe ColdFusion vulnerabilities have since been patched in the updated versions of ColdFusion 2016 (update 17), ColdFusion 2018 (update 11), and ColdFusion 2021 (update 1).
Adobe ColdFusion slated “priority 2”:
The ColdFusion updates have been characterized as “priority 2” updates since they resolve vulnerabilities “in a product that has historically been at elevated risk” – but for which there are currently no known exploits.”
The software company, addressing the ColdFusion security flaws has stated that they do not anticipate the flaws to remain imminent for priority 2 updates by looking at the previous history of ColdFusion’s security flaws.
Back In April 2020, Adobe had released patches for security vulnerabilities in ColdFusion, which if exploited, could enable malicious actors to view sensitive data, gain escalated privileges, and launch denial-of-service attacks. In 2019, Adobe issued unscheduled security updates to fix two critical flaws in its ColdFusion platform. These critical vulnerabilities could have enabled malicious actors to either execute arbitrary code or bypass access control on impacted systems.
Adobe has recommended users and administrators update their ColdFusion versions to the latest updates as soon as possible.